Discussion:
Iptables example for mail/web/opevpn server
Raven
2012-02-15 15:08:31 UTC
Permalink
Hi guys.
I need some help in designing a simple iptables ruleset for a small
server I have recently set up.

It's a VPS so the primary interface is venet0 with a public ip. The
server also runs an openvpn daemon with a 172.16.0.0/24 subnet.

There is obviously no need for NAT or packet forwarding. All outbound
traffic should be allowed while inbound data is to be accepted only on
ports 80, 443, 25, 587 and 1194 (tcp,udp).

Could you give me a rough idea of what a firewall script should look
like?

Thanks

-RV
Raven
2012-02-15 15:29:57 UTC
Permalink
Hi guys.
I need some help in designing a simple iptables ruleset for a small
server I have recently set up.

It's a VPS so the primary interface is venet0 with a public ip. The
server also runs an openvpn daemon with a 172.16.0.0/24 subnet.

There is obviously no need for NAT or packet forwarding. All outbound
traffic should be allowed while inbound data is to be accepted only on
ports 80, 443, 25, 587 and 1194 (tcp,udp).

Could you give me a rough idea of what a firewall script should look
like?

Thanks

-RV
Arturo Borrero Gonzalez
2012-02-15 18:25:12 UTC
Permalink
Post by Raven
Hi guys.
I need some help in designing a simple iptables ruleset for a small
server I have recently set up.
It's a VPS so the primary interface is venet0 with a public ip. The
server also runs an openvpn daemon with a 172.16.0.0/24 subnet.
There is obviously no need for NAT or packet forwarding. All outbound
traffic should be allowed while inbound data is to be accepted only on
ports 80, 443, 25, 587 and 1194 (tcp,udp).
Could you give me a rough idea of what a firewall script should look
like?
Thanks
-RV
--
Hi there,

Depending on what kind of complexity you want, you could use a few
iptables lines added at some place like /etc/rc... or somewhere..

like: (this one is valid)

## flush old rules
iptables -F
# rules
iptables -t filter -A INPUT -i venet0 -d your_public_ip \
-p tcp --sport 1024: -m multiport --dports 80,443,25,587 \
-m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i venet0 -d your_ip \
-p udp --sport 1024: --dport 1194 \
-m state --state NEW,ESTABLISHED -j ACCEPT
# default policy
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
##

Or use the same schema, but using a rule for each connection, like:
iptables -t filter -A INPUT -i venet0 -d ip \
-p tcp --sport 1024: --dport 80 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -t filter -A INPUT -i venet0 -d ip \
-p tcp --sport 1024: --dport 443 -m state --state NEW,ESTABLISHED
-j ACCEPT
etc.. (using that you will see some usage statistics)

Or you could use a more complex schema, using in detail the 'state'
module or even managing per-package-per-protocol flags

I think if you give me more details about the environment of the
server, I could help you being more explicit.

For example:

· Ipv6 use, or support?
· Complex firewall as a service management?
· How many clients are going to use the server?
· What about the scalability factor? Do you plan to expand the server
in a future?
· Is the server in your house or it's a testing server, so
availability and security could be forgiven in favor of a quick
setting?


regards.
--
/* Arturo Borrero Gonzalez || ***@linuxmail.org */
/* Use debian gnu/linux! Best OS ever! */
Pascal Hambourg
2012-02-15 19:33:23 UTC
Permalink
Hello,
Post by Arturo Borrero Gonzalez
Post by Raven
I need some help in designing a simple iptables ruleset for a small
server I have recently set up.
It's a VPS so the primary interface is venet0 with a public ip. The
server also runs an openvpn daemon with a 172.16.0.0/24 subnet.
There is obviously no need for NAT or packet forwarding. All outbound
traffic should be allowed while inbound data is to be accepted only on
ports 80, 443, 25, 587 and 1194 (tcp,udp).
Could you give me a rough idea of what a firewall script should look
like?
Depending on what kind of complexity you want, you could use a few
iptables lines added at some place like /etc/rc... or somewhere..
like: (this one is valid)
## flush old rules
iptables -F
# rules
iptables -t filter -A INPUT -i venet0 -d your_public_ip \
-p tcp --sport 1024: -m multiport --dports 80,443,25,587 \
-m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i venet0 -d your_ip \
-p udp --sport 1024: --dport 1194 \
-m state --state NEW,ESTABLISHED -j ACCEPT
# default policy
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
##
Some parts are missing.
- Port 1194 (openvpn) should be accepted for TCP too.
- Local host traffic on the loopback interface should be accepted.
iptables -A INPUT -i lo -j ACCEPT

- Incoming return traffic for outgoing connections (e.g. DNS replies)
should be accepted.
- Incoming related ICMP messages should be accepted. You want to know
about network problems such as when a host is unreachable or a packet is
too big, don't you ?

For those two requirements, just add the usual rule :
iptables -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT

And you can remove the now redundant ESTABLISHED state from other rules.
Note that you can also remove the whole state match in the UDP rule as a
UDP packet cannot be in the INVALID state (UDP has no real state).

- Some incoming traffic (TBD) on the tunnel interface created by openvpn
should probably be accepted too, otherwise the VPN won't be very useful.
Post by Arturo Borrero Gonzalez
· Ipv6 use, or support?
Just use the same commands with ip6tables instead of iptables.
--
To UNSUBSCRIBE, email to debian-firewall-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: http://lists.debian.org/***@plouf.fr.eu.org
Stephan Balmer
2012-02-15 20:24:01 UTC
Permalink
Post by Arturo Borrero Gonzalez
## flush old rules
iptables -F
# rules
iptables -t filter -A INPUT -i venet0 -d your_public_ip \
-p tcp --sport 1024: -m multiport --dports 80,443,25,587 \
-m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i venet0 -d your_ip \
-p udp --sport 1024: --dport 1194 \
-m state --state NEW,ESTABLISHED -j ACCEPT
# default policy
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
##
I think your script lacks the rule that accepts return packets.
Something along the lines of

iptables -I INPUT -m state --state ESTABLISHED,RELATED -J ACCEPT

Without this rule, return packets will be dropped and the server will be
unable to establish connections. Also note the RELATED, which will accept
ICMP notifications. You need those.

I also recommend accepting ICMP echo requests:

iptables -A INPUT -p icmp --icmp-type 8 -J ACCEPT
Raven
2012-02-16 11:36:48 UTC
Permalink
Post by Arturo Borrero Gonzalez
Post by Raven
Hi guys.
I need some help in designing a simple iptables ruleset for a small
server I have recently set up.
It's a VPS so the primary interface is venet0 with a public ip. The
server also runs an openvpn daemon with a 172.16.0.0/24 subnet.
There is obviously no need for NAT or packet forwarding. All outbound
traffic should be allowed while inbound data is to be accepted only on
ports 80, 443, 25, 587 and 1194 (tcp,udp).
Could you give me a rough idea of what a firewall script should look
like?
Thanks
-RV
I think if you give me more details about the environment of the
server, I could help you being more explicit.
· Ipv6 use, or support?
· Complex firewall as a service management?
· How many clients are going to use the server?
· What about the scalability factor? Do you plan to expand the server
in a future?
· Is the server in your house or it's a testing server, so
availability and security could be forgiven in favor of a quick
setting?
1) IPv6 will be implemented in the next future. For now I'm focusing on
v4.
2) Didn't really understand that question :)
3) A fair number. Busy MTA and and 70-80 clients on httpd.
4) I do, but in that case I will add a rule manually for whatever
protocol I need to.
5) As of now the server is just a secondary MX and a failover httpd
server. If all works out I plan to use it as primary.

I probably should have mentioned this earlier, but my predecessor left
me with a firewall script that, when launched, locks me out of the
server.
It seems all kosher to me, so I wonder why it's behaving like that:


#!/bin/sh
IPT="/sbin/iptables"
# Internet Interface
INET_IFACE="venet0"
INET_ADDRESS="xxx.xxx.xxx.xxx"
# OpenVPN
OV="172.16.0.0/16"

# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"

echo "Flushing Tables ..."

# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT

# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F

# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X

#Set Policies

$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP

# unlimited access to VPN
iptables -A INPUT -s $OV -j ACCEPT
iptables -A OUTPUT -s $OV -j ACCEPT

# Munin accounting stuff
/sbin/iptables -A INPUT -d $INET_ADDRESS
/sbin/iptables -A OUTPUT -s $INET_ADDRESS
/sbin/iptables -A INPUT -d 172.16.0.1
/sbin/iptables -A OUTPUT -s 172.16.0.1


#Filter INVALID packets
$IPT -N bad_packets

#Filter bad tcp packets
$IPT -N bad_tcp_packets

#Chains for icmp, tcp (incoming and outgoing)
$IPT -N icmp_packets
$IPT -N udp_inbound

#Inbound services
$IPT -N tcp_inbound

#Outbound services
$IPT -N tcp_outbound


# Drop INVALID packets immediately
$IPT -A bad_packets -p ALL -m state --state INVALID -j DROP

# Then check the tcp packets for additional problems
$IPT -A bad_packets -p tcp -j bad_tcp_packets

# All good, so return
$IPT -A bad_packets -p ALL -j RETURN

$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG
\ -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP

#All good, so return
$IPT -A bad_tcp_packets -p tcp -j RETURN


# icmp_packets chain
$IPT -A icmp_packets --fragment -p ICMP -j DROP
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 8 -j ACCEPT

#Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT



# udp_inbound chain
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 137 -j DROP
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 138 -j DROP

#NTP Server
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT


# udp_outbound chain
#
#ACCEPT
$IPT -A udp_outbound -p UDP -s 0/0 -j ACCEPT

# tcp_inbound chain

# HTTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 80 -j ACCEPT

# FTP Server (Control)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 21 -j ACCEPT

# FTP Client (Data Port for non-PASV transfers)
$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT

# Passive FTP
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 62000:63000
\ -j ACCEPT

# Email Server (SMTP)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 25 -j ACCEPT

# Email Server (SMTP SUBMISSION)
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 587 -j ACCEPT

# Email Server (POP3)
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 110 -j ACCEPT

# Email Server (IMAP4)
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 143 -j ACCEPT

# SSL Email Server (POP3s)
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 995 -j ACCEPT

# SSL Email Server (IMAP4s)
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 993 -j ACCEPT

# sshd
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 22 -j ACCEPT

# Munin
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 4949 -j ACCEPT

# Rsync
# $IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 873 -j ACCEPT

# openvpn
$IPT -A tcp_inbound -p TCP -s 0/0 --destination-port 1194 -j ACCEPT
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 1194 -j ACCEPT

# No match, so ACCEPT
$IPT -A tcp_outbound -p TCP -s 0/0 -j ACCEPT


echo "Process INPUT chain ..."

# Allow all on localhost interface
$IPT -A INPUT -p ALL -i $LO_IFACE -j ACCEPT

# Drop bad packets
$IPT -A INPUT -p ALL -j bad_packets

# Accept Established Connections
$IPT -A INPUT -p ALL -i $INET_IFACE -m state --state ESTABLISHED,RELATED
\ -j ACCEPT

# Route the rest to the appropriate user chain
$IPT -A INPUT -p TCP -i $INET_IFACE -j tcp_inbound
$IPT -A INPUT -p UDP -i $INET_IFACE -j udp_inbound
$IPT -A INPUT -p ICMP -i $INET_IFACE -j icmp_packets


echo "Process OUTPUT chain ..."
$IPT -A OUTPUT -m state -p icmp --state INVALID -j DROP

# Localhost
$IPT -A OUTPUT -p ALL -s $LO_IP -j ACCEPT
$IPT -A OUTPUT -p ALL -o $LO_IFACE -j ACCEPT

# To internet
$IPT -A OUTPUT -p ALL -o $INET_IFACE -j ACCEPT


-RV
Jonathan Plews
2012-02-16 14:57:43 UTC
Permalink
Post by Raven
I probably should have mentioned this earlier, but my predecessor left
me with a firewall script that, when launched, locks me out of the
server.
I would recommend having a look at Shorewall rather that wrestle with
iptables scripts.

use the files in /usr/share/doc/shorewall/examples/one-interface as the
base, check /usr/share/shorewall for macro.<proto> files and add them to
the rules.

Copy the files into /etc/shorewall/ and make the changes:

interfaces:
change eth0 to venet0, add tap0 in zone 'vpn' for openvpn (or a tun,
bridge etc, whatever your using)

policy:
add 'vpn $FW ACCEPT', and possibly '$FW vpn ACCEPT'

rules:
look in /usr/share/shorewall/ for macro files and define them like this:

(SSH)ACCEPT net $FW
...

zones:

add 'vpn' zone here type ipv4


Thats it, then on the command line 'shorewall' lets you control it, dont
forget to edit /etc/default/shorewall if you want it to start at boot
(once you know the rules are sound of course)


If you have a go with this and have problems post your config, and I'll
try to help.


Regards

Jon
Pascal Hambourg
2012-02-16 20:19:30 UTC
Permalink
Post by Raven
I probably should have mentioned this earlier, but my predecessor left
me with a firewall script that, when launched, locks me out of the
server.
IMO it contains a number of inconsistencies and redundances.
Post by Raven
#!/bin/sh
IPT="/sbin/iptables"
# Internet Interface
INET_IFACE="venet0"
INET_ADDRESS="xxx.xxx.xxx.xxx"
# OpenVPN
OV="172.16.0.0/16"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
Why set the defaut policies to ACCEPT if you set them to DROP a few
lines later ?
Post by Raven
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
Either the script is very old, or the author was not aware that the
mangle table has had three extra chains (INPUT, FORWARD, POSTROUTING)
for a very long time now.
Post by Raven
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
#Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# unlimited access to VPN
iptables -A INPUT -s $OV -j ACCEPT
iptables -A OUTPUT -s $OV -j ACCEPT
# Munin accounting stuff
/sbin/iptables -A INPUT -d $INET_ADDRESS
/sbin/iptables -A OUTPUT -s $INET_ADDRESS
If the address is correct, these two rules set the host wide open
inbound and outbound, so I do not see how the ruleset could possibly
"lock you out".
Post by Raven
/sbin/iptables -A INPUT -d 172.16.0.1
/sbin/iptables -A OUTPUT -s 172.16.0.1
Mixing $IPT, iptables and /sbin/iptables is not very consistent.

[...]
Post by Raven
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG
\ -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
This is not really needed any more. The current Linux IP stack handles
these patterns which are *not* all invalid (the TCP specification sets
priorities among flags, so multiple conflicting flags may be present).
It may be useful only on a firewall to protect vulnerable hosts.
Post by Raven
#Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
Valid ICMP time exceeded, along with other ICMP error types, are in the
RELATED state, so this rule is not necessary.

[...]
Post by Raven
#NTP Server
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT
You didn't mention that the host was an NTP server.

[...]
Post by Raven
# FTP Client (Data Port for non-PASV transfers)
$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
Don't do this. It accept anything from anyone using source port 20.
--
To UNSUBSCRIBE, email to debian-firewall-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: http://lists.debian.org/***@plouf.fr.eu.org
Raven
2012-02-16 21:39:32 UTC
Permalink
Post by Pascal Hambourg
Post by Raven
I probably should have mentioned this earlier, but my predecessor left
me with a firewall script that, when launched, locks me out of the
server.
IMO it contains a number of inconsistencies and redundances.
Pascal, thank you for your exhaustive review.
As I previously said, I "inherited" this firewall script from the IT guy
that came before me.
I'm trying to make it work and at the same time learn some iptables
basics..
Post by Pascal Hambourg
Post by Raven
#!/bin/sh
IPT="/sbin/iptables"
# Internet Interface
INET_IFACE="venet0"
INET_ADDRESS="xxx.xxx.xxx.xxx"
# OpenVPN
OV="172.16.0.0/16"
# Localhost Interface
LO_IFACE="lo"
LO_IP="127.0.0.1"
echo "Flushing Tables ..."
# Reset Default Policies
$IPT -P INPUT ACCEPT
$IPT -P FORWARD ACCEPT
$IPT -P OUTPUT ACCEPT
Why set the defaut policies to ACCEPT if you set them to DROP a few
lines later ?
I was wondering the same thing..
Post by Pascal Hambourg
Post by Raven
$IPT -t nat -P PREROUTING ACCEPT
$IPT -t nat -P POSTROUTING ACCEPT
$IPT -t nat -P OUTPUT ACCEPT
$IPT -t mangle -P PREROUTING ACCEPT
$IPT -t mangle -P OUTPUT ACCEPT
Either the script is very old, or the author was not aware that the
mangle table has had three extra chains (INPUT, FORWARD, POSTROUTING)
for a very long time now.
Given that it is a standalone server, do I really need nat and mangle
tables?
Post by Pascal Hambourg
Post by Raven
# Flush all rules
$IPT -F
$IPT -t nat -F
$IPT -t mangle -F
# Erase all non-default chains
$IPT -X
$IPT -t nat -X
$IPT -t mangle -X
#Set Policies
$IPT -P INPUT DROP
$IPT -P OUTPUT DROP
$IPT -P FORWARD DROP
# unlimited access to VPN
iptables -A INPUT -s $OV -j ACCEPT
iptables -A OUTPUT -s $OV -j ACCEPT
# Munin accounting stuff
/sbin/iptables -A INPUT -d $INET_ADDRESS
/sbin/iptables -A OUTPUT -s $INET_ADDRESS
If the address is correct, these two rules set the host wide open
inbound and outbound, so I do not see how the ruleset could possibly
"lock you out".
AFAIK, this is a "dummy" ruleset to be used by a Munin plugin (the
monitoring tool we use).
Since the "open doors" is at the beginning of the script, doesn't it get
restricted later on?
Post by Pascal Hambourg
Post by Raven
/sbin/iptables -A INPUT -d 172.16.0.1
/sbin/iptables -A OUTPUT -s 172.16.0.1
Mixing $IPT, iptables and /sbin/iptables is not very consistent.
[...]
Post by Raven
$IPT -A bad_tcp_packets -p tcp ! --syn -m state --state NEW -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL NONE -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL ALL -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL FIN,URG,PSH -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags ALL SYN,RST,ACK,FIN,URG
\ -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,RST SYN,RST -j DROP
$IPT -A bad_tcp_packets -p tcp --tcp-flags SYN,FIN SYN,FIN -j DROP
This is not really needed any more. The current Linux IP stack handles
these patterns which are *not* all invalid (the TCP specification sets
priorities among flags, so multiple conflicting flags may be present).
It may be useful only on a firewall to protect vulnerable hosts.
Agreed.
Post by Pascal Hambourg
Post by Raven
#Time Exceeded
$IPT -A icmp_packets -p ICMP -s 0/0 --icmp-type 11 -j ACCEPT
Valid ICMP time exceeded, along with other ICMP error types, are in the
RELATED state, so this rule is not necessary.
[...]
Post by Raven
#NTP Server
$IPT -A udp_inbound -p UDP -s 0/0 --destination-port 123 -j ACCEPT
You didn't mention that the host was an NTP server.
Indeed. It shouldn't be
Post by Pascal Hambourg
[...]
Post by Raven
# FTP Client (Data Port for non-PASV transfers)
$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
Don't do this. It accept anything from anyone using source port 20.
I was wondering: do I really need all this mumbo jumbo with packet
states and separate UDP/TCP chains?
I mean, won't the firewall be enough if I close it all down inbound on
the public IP and open ports on a need-to basis? (obviously lo and vpn
would have total IN/OUT access)


-RV
Pascal Hambourg
2012-02-17 20:49:05 UTC
Permalink
Post by Raven
Given that it is a standalone server, do I really need nat and mangle
tables?
It is good practice to reset tables which you do not use, because you
don't always know the prior state. However you can skip this step if you
can check in /proc/net/ip_tables_names that thoses tables are not active.
Post by Raven
Post by Pascal Hambourg
Post by Raven
# Munin accounting stuff
/sbin/iptables -A INPUT -d $INET_ADDRESS
/sbin/iptables -A OUTPUT -s $INET_ADDRESS
If the address is correct, these two rules set the host wide open
inbound and outbound, so I do not see how the ruleset could possibly
"lock you out".
AFAIK, this is a "dummy" ruleset to be used by a Munin plugin (the
monitoring tool we use).
Oops, my mistake. I read to fast and imagined that the rules add the
ACCEPT target. But they do have no target and no action.
Post by Raven
Post by Pascal Hambourg
Post by Raven
# FTP Client (Data Port for non-PASV transfers)
$IPT -A tcp_inbound -p TCP -s 0/0 --source-port 20 -j ACCEPT
Don't do this. It accept anything from anyone using source port 20.
I was wondering: do I really need all this mumbo jumbo with packet
states and separate UDP/TCP chains?
Well, IMO connection state tracking is a very nice and useful feature.
Post by Raven
I mean, won't the firewall be enough if I close it all down inbound on
the public IP and open ports on a need-to basis? (obviously lo and vpn
would have total IN/OUT access)
You cannot only open some ports inbound. If you want to allow all
outbound connections, you need to accept the inbound return packets.
These packets look totally random, except for the connection state
tracking which can match them with previous outbound packets.
--
To UNSUBSCRIBE, email to debian-firewall-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: http://lists.debian.org/***@plouf.fr.eu.org
Cory Oldford
2012-02-15 18:35:58 UTC
Permalink
Its important to know when the rules are actually put in place during the boot process. This can be controlled via its index in /etc/rc.*. A more interface specific location would /etc/network/{if-down.d,if-post-down.d,if-pre-up.d,if-up.d}. Also note that the openvpn devices can be referenced as tun+ rather than the absolute device name.
--
Cory Oldford
PeaceWorks Computer Consulting
#1 - 396 Assiniboine Ave, Winnipeg
204 480 0314 --or-- 519 725 7875, ext 6010.

----- Original Message -----
From: "Arturo Borrero Gonzalez" <***@linuxmail.org>
To: ***@vp44.net
Cc: debian-***@lists.debian.org
Sent: Wednesday, February 15, 2012 12:25:12 PM GMT -06:00 US/Canada Central
Subject: Re: Iptables example for mail/web/opevpn server
Post by Raven
Hi guys.
I need some help in designing a simple iptables ruleset for a small
server I have recently set up.
It's a VPS so the primary interface is venet0 with a public ip. The
server also runs an openvpn daemon with a 172.16.0.0/24 subnet.
There is obviously no need for NAT or packet forwarding. All outbound
traffic should be allowed while inbound data is to be accepted only on
ports 80, 443, 25, 587 and 1194 (tcp,udp).
Could you give me a rough idea of what a firewall script should look
like?
Thanks
-RV
--
Hi there,

Depending on what kind of complexity you want, you could use a few
iptables lines added at some place like /etc/rc... or somewhere..

like: (this one is valid)

## flush old rules
iptables -F
# rules
iptables -t filter -A INPUT -i venet0 -d your_public_ip \
-p tcp --sport 1024: -m multiport --dports 80,443,25,587 \
-m state --state NEW,ESTABLISHED -j ACCEPT
iptables -t filter -A INPUT -i venet0 -d your_ip \
-p udp --sport 1024: --dport 1194 \
-m state --state NEW,ESTABLISHED -j ACCEPT
# default policy
iptables -P OUTPUT ACCEPT
iptables -P INPUT DROP
##

Or use the same schema, but using a rule for each connection, like:
iptables -t filter -A INPUT -i venet0 -d ip \
-p tcp --sport 1024: --dport 80 -m state --state NEW,ESTABLISHED
-j ACCEPT
iptables -t filter -A INPUT -i venet0 -d ip \
-p tcp --sport 1024: --dport 443 -m state --state NEW,ESTABLISHED
-j ACCEPT
etc.. (using that you will see some usage statistics)

Or you could use a more complex schema, using in detail the 'state'
module or even managing per-package-per-protocol flags

I think if you give me more details about the environment of the
server, I could help you being more explicit.

For example:

· Ipv6 use, or support?
· Complex firewall as a service management?
· How many clients are going to use the server?
· What about the scalability factor? Do you plan to expand the server
in a future?
· Is the server in your house or it's a testing server, so
availability and security could be forgiven in favor of a quick
setting?


regards.
--
/* Arturo Borrero Gonzalez || ***@linuxmail.org */
/* Use debian gnu/linux! Best OS ever! */
--
To UNSUBSCRIBE, email to debian-firewall-***@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact ***@lists.debian.org
Archive: http://lists.debian.org/CAPfcJasFyE-rsfOgbfYCtSfC-K=WszVorSp-***@mail.gmail.com
Loading...